Installing the Access Manager Agent on Windows
Prerequisites
In order to install the Access Manager Agent, the following prerequisites must be met
Windows 8.1 or Windows Server 2012 R2 or later
.NET Framework Runtime 4.7.2 or later installed
We recommend using a configuration management tool such as SCCM to deploy the agent to your fleet.
Determine your password storage mode
The Access Manager Agent can store passwords in Active Directory, or in the AMS directory. Password storage in the Active Directory is only available for domain-joined clients, and requires schema extensions to the Active Directory.
Azure AD devices, and standalone non-domain-joined devices always use the AMS directory to store passwords.
| Machine state | Password storage location |
|---|---|
Domain-joined | Active Directory |
Azure AD-joined | AMS directory |
Azure AD-registered | AMS directory |
Not joined to a domain or Azure AD | AMS directory |
Determine your authentication mode
When using the AMS directory to store passwords, you must determine what authentication mode you are going to use.
Azure AD-joined and registered devices, can use their Azure AD certificate to automatically authenticate to the AMS server. You'll need the Azure AD tenant ID to configure Azure AD auth.
Other devices must use a registration key, obtained from the AMS server to authenticate. These devices will create their own authentication certificate, and use the registration key a single time, to register their certificate with the server. Once this is successful, they will no longer need the registration key, and it will be deleted from the system.
Download and install the Access Manager Agent
Download the latest version of the agent from the releases page. Take note that you must install the x64 version on 64-bit machines, and the x86 version on 32-bit machines.
Run the AMA installation package. When prompted, choose the password storage location appropriate for your environment.
If you are using the AMS directory, you'll be prompted to select the authentication type you'd like to use. You can use Azure AD authentication, if the agent is running on a Windows 10 Azure AD joined or registered device. If the installer can detect the Azure tenant ID from the workstation's join information, it will be pre-populated here. Otherwise, you'll need to provide the tenant ID yourself.
If your device is not Azure AD joined or registered, you'll need to use a registration key to authenticate the agent to the AMS server.
If you are using the agent in Active Directory mode, you'll need to configure the agent via a group policy. Follow the setup guide for Lithnet LAPS for Active Directory for the correct process of setting up the relevant group policy settings. Agents using AMS directory mode get their password policy from the AMS server, and do not use group policy at all.
Deploying the agent silently
You can install the MSI packages silently using the following command lines
Silent installation in Active Directory password storage mode
Use the following command line to install the agent in Active Directory mode
Silent installation for Azure AD-joined and registered devices
Use the following command line to install the agent in Azure AD mode, replacing the SERVER and AZUREADTENANTID values are appropriate
Silent installation for standalone Windows devices
Use the following command line to install the agent in AMS directory mode, replacing the SERVER and REGISTRATIONKEY values are appropriate
Viewing log files
Basic logs entries can be viewed using the Windows Event Viewer, but more detailed log information can be found in %ProgramFiles%\Lithnet\Access Manager Agent\logs
Reconfiguring the agent
If you need to change the agent configuration, you can do so at any time by running
Last updated